feat: add kanidm module

2025-12-06 09:07:21 +01:00 · 2025-06-09 05:02:01 +02:00 · 2025-06-09 05:02:01 +02:00 · f87164088f
commit f87164088f
parent 616522bfa6
9 changed files with 854 additions and 130 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -4055,6 +4055,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
            emacs = lib.mkDefault true;
            freshrss = lib.mkDefault true;
            jenkins = lib.mkDefault false;
            kanidm = lib.mkDefault true;
          };
        };
      };
@ -7383,7 +7384,9 @@ Here we just define some aliases for rebuilding the system, and we allow some in
        port = 3001;
        openFirewall = true;
        mediaLocation = "/Vault/Eternor/Immich";
-        environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
+        environment = {
          IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
        };
      };
@ -7425,7 +7428,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
 :END:
 #+begin_src nix :tangle modules/nixos/server/paperless.nix
-  { lib, config, ... }:
+  { lib, pkgs, config, ... }:
  {
    options.swarselsystems.modules.server.paperless = lib.mkEnableOption "enable paperless on server";
    config = lib.mkIf config.swarselsystems.modules.server.paperless {
@ -7434,8 +7437,14 @@ Here we just define some aliases for rebuilding the system, and we allow some in
        extraGroups = [ "users" ];
      };
-
+      sops.secrets = {
-      sops.secrets.paperless_admin = { owner = "paperless"; };
+        paperless_admin = { owner = "paperless"; };
        kanidm-paperless-client = {
          owner = "paperless";
          group = "paperless";
          mode = "440";
        };
      };
      services.paperless = {
        enable = true;
@ -7453,8 +7462,34 @@ Here we just define some aliases for rebuilding the system, and we allow some in
            invalidate_digital_signatures = true;
            pdfa_image_compression = "lossless";
          };
          PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
          PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
            openid_connect = {
              OAUTH_PKCE_ENABLED = "True";
              APPS = [
                rec {
                  provider_id = "kanidm";
                  name = "Kanidm";
                  client_id = "paperless";
                  # secret will be added dynamically
                  #secret = "";
                  settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
                }
              ];
            };
          };
        };
      };
      # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
      systemd.services.paperless-web.script = lib.mkBefore ''
        oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
        export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
          ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
            --compact-output \
            --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
                       )
      '';
      services.nginx = {
        virtualHosts = {
@ -7809,7 +7844,7 @@ This manages backups for my pictures and obsidian files.
  }
 #+end_src
-**** monitoring
+**** monitoring (Grafana)
 :PROPERTIES:
 :CUSTOM_ID: h:a31c7192-e11d-4a26-915d-1bbc38e373d3
 :END:
@ -7818,6 +7853,9 @@ This section exposes several metrics that I use to check the health of my server
 #+begin_src nix :tangle modules/nixos/server/monitoring.nix
  { self, lib, config, ... }:
  let
    grafanaDomain = "status.swarsel.win";
  in
  {
    options.swarselsystems.modules.server.monitoring = lib.mkEnableOption "enable monitoring on server";
    config = lib.mkIf config.swarselsystems.modules.server.monitoring {
@ -7829,6 +7867,11 @@ This section exposes several metrics that I use to check the health of my server
        prometheusadminpass = {
          owner = "grafana";
        };
        kanidm-grafana-client = {
          owner = "grafana";
          group = "grafana";
          mode = "440";
        };
      };
      users = {
@ -7854,7 +7897,7 @@ This section exposes several metrics that I use to check the health of my server
                {
                  name = "prometheus";
                  type = "prometheus";
-                  url = "https://status.swarsel.win/prometheus";
+                  url = "https://${grafanaDomain}/prometheus";
                  editable = false;
                  access = "proxy";
                  basicAuth = true;
@ -7879,10 +7922,30 @@ This section exposes several metrics that I use to check the health of my server
          settings = {
            security.admin_password = "$__file{/run/secrets/grafanaadminpass}";
            server = {
              domain = grafanaDomain;
              root_url = "https://${grafanaDomain}";
              http_port = 3000;
-              http_addr = "127.0.0.1";
+              http_addr = "0.0.0.0";
              protocol = "http";
-              domain = "status.swarsel.win";
+            };
            "auth.generic_oauth" = {
              enabled = true;
              name = "Kanidm";
              icon = "signin";
              allow_sign_up = true;
              #auto_login = true;
              client_id = "grafana";
              client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}";
              scopes = "openid email profile";
              login_attribute_path = "preferred_username";
              auth_url = "https://sso.swarsel.win/ui/oauth2";
              token_url = "https://sso.swarsel.win/oauth2/token";
              api_url = "https://sso.swarsel.win/oauth2/openid/grafana/userinfo";
              use_pkce = true;
              use_refresh_token = true;
              # Allow mapping oauth2 roles to server admin
              allow_assign_grafana_admin = true;
              role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'";
            };
          };
        };
@ -7966,6 +8029,7 @@ This section exposes several metrics that I use to check the health of my server
              locations = {
                "/" = {
                  proxyPass = "http://localhost:3000";
                  proxyWebsockets = true;
                  extraConfig = ''
                    client_max_body_size 0;
                  '';
@ -8212,6 +8276,181 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
  }
 #+end_src
 **** kanidm
 #+begin_src nix :tangle modules/nixos/server/kanidm.nix
  { self, lib, pkgs, config, ... }:
  let
    certsSopsFile = self + /secrets/certs/secrets.yaml;
    kanidmDomain = "sso.swarsel.win";
    kanidmPort = 8300;
  in
  {
    options.swarselsystems.modules.server.kanidm = lib.mkEnableOption "enable kanidm on server";
    config = lib.mkIf config.swarselsystems.modules.server.kanidm {
      users.users.kanidm = {
        group = "kanidm";
        isSystemUser = true;
      };
      users.groups.kanidm = { };
      sops.secrets = {
        "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
        "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
        "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
        "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
        "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
        "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
        "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
        "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      };
      services.kanidm = {
        package = pkgs.kanidmWithSecretProvisioning;
        enableServer = true;
        serverSettings = {
          domain = kanidmDomain;
          origin = "https://${kanidmDomain}";
          tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
          tls_key = config.sops.secrets.kanidm-self-signed-key.path;
          bindaddress = "0.0.0.0:${toString kanidmPort}";
          trust_x_forward_for = true;
        };
        enableClient = true;
        clientSettings = {
          uri = config.services.kanidm.serverSettings.origin;
          verify_ca = true;
          verify_hostnames = true;
        };
        provision = {
          enable = true;
          adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
          idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
          groups = {
            "immich.access" = { };
            "paperless.access" = { };
            "forgejo.access" = { };
            "forgejo.admins" = { };
            "grafana.access" = { };
            "grafana.editors" = { };
            "grafana.admins" = { };
            "grafana.server-admins" = { };
          };
          persons = {
            swarsel = {
              present = true;
              mailAddresses = [ "leon@swarsel.win" ];
              legalName = "Leon Schwarzäugl";
              groups = [
                "immich.access"
                "paperless.access"
                "grafana.access"
                "forgejo.access"
              ];
              displayName = "Swarsel";
            };
          };
          systems = {
            oauth2 = {
              immich = {
                displayName = "Immich";
                originUrl = [
                  "https://shots.swarsel.win/auth/login"
                  "https://shots.swarsel.win/user-settings"
                  "app.immich:///oauth-callback"
                  "https://shots.swarsel.win/api/oauth/mobile-redirect"
                ];
                originLanding = "https://shots.swarsel.win/";
                basicSecretFile = config.sops.secrets.kanidm-immich.path;
                preferShortUsername = true;
                enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
                scopeMaps."immich.access" = [
                  "openid"
                  "email"
                  "profile"
                ];
              };
              paperless = {
                displayName = "Paperless";
                originUrl = "https://scan.swarsel.win/accounts/oidc/kanidm/login/callback/";
                originLanding = "https://scan.swarsel.win/";
                basicSecretFile = config.sops.secrets.kanidm-paperless.path;
                preferShortUsername = true;
                scopeMaps."paperless.access" = [
                  "openid"
                  "email"
                  "profile"
                ];
              };
              forgejo = {
                displayName = "Forgejo";
                originUrl = "https://swagit.swarsel.win/user/oauth2/kanidm/callback";
                originLanding = "https://swagit.swarsel.win/";
                basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
                scopeMaps."forgejo.access" = [
                  "openid"
                  "email"
                  "profile"
                ];
                # XXX: PKCE is currently not supported by gitea/forgejo,
                # see https://github.com/go-gitea/gitea/issues/21376.
                allowInsecureClientDisablePkce = true;
                preferShortUsername = true;
                claimMaps.groups = {
                  joinType = "array";
                  valuesByGroup."forgejo.admins" = [ "admin" ];
                };
              };
              grafana = {
                displayName = "Grafana";
                originUrl = "https://status.swarsel.win/login/generic_oauth";
                originLanding = "https://status.swarsel.win/";
                basicSecretFile = config.sops.secrets.kanidm-grafana.path;
                preferShortUsername = true;
                scopeMaps."grafana.access" = [
                  "openid"
                  "email"
                  "profile"
                ];
                claimMaps.groups = {
                  joinType = "array";
                  valuesByGroup = {
                    "grafana.editors" = [ "editor" ];
                    "grafana.admins" = [ "admin" ];
                    "grafana.server-admins" = [ "server_admin" ];
                  };
                };
              };
            };
          };
        };
      };
      systemd.services.kanidm.serviceConfig.RestartSec = "30";
      services.nginx = {
        virtualHosts = {
          "sso.swarsel.win" = {
            enableACME = true;
            forceSSL = true;
            acmeRoot = null;
            locations = {
              "/" = {
                proxyPass = "https://localhost:${toString kanidmPort}";
              };
            };
            extraConfig = ''
              proxy_ssl_verify off;
            '';
          };
        };
      };
    };
  }
 #+end_src
 *** Darwin
 :PROPERTIES:
 :CUSTOM_ID: h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47
--- a/index.html
+++ b/index.html
@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-06-09 Mo 03:26 -->
+<!-- 2025-06-09 Mo 12:45 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configuration</title>
@ -263,9 +263,9 @@
 <li><a href="#h:7056b9a0-f38b-4bca-b2ba-ab34e2d73493">3.1.4.3. Home-manager only (default non-NixOS)</a></li>
 <li><a href="#h:e1498bef-ec67-483d-bf02-76264e30be8e">3.1.4.4. ChaosTheatre (Demo Physical/VM)</a>
 <ul>
-<li><a href="#org7d36836">3.1.4.4.1. Main configuration</a></li>
+<li><a href="#org9b449ff">3.1.4.4.1. Main configuration</a></li>
-<li><a href="#org96e39c3">3.1.4.4.2. NixOS dummy options configuration</a></li>
+<li><a href="#org10cff1b">3.1.4.4.2. NixOS dummy options configuration</a></li>
-<li><a href="#org9944579">3.1.4.4.3. home-manager dummy options configuration</a></li>
+<li><a href="#org0c539d3">3.1.4.4.3. home-manager dummy options configuration</a></li>
 </ul>
 </li>
 </ul>
@ -305,7 +305,7 @@
 <li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.2.1.27. fhs</a></li>
 <li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.2.1.28. swarsel-displaypower</a></li>
 <li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.2.1.29. swarsel-mgba</a></li>
-<li><a href="#org7169988">3.2.1.30. sshrm</a></li>
+<li><a href="#orgda3c026">3.2.1.30. sshrm</a></li>
 </ul>
 </li>
 <li><a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">3.2.2. Overlays (additions, overrides, nixpkgs-stable)</a></li>
@ -313,28 +313,28 @@
 <ul>
 <li><a href="#h:14e68518-8ec7-48ec-b208-0e3d6d49954d">3.2.3.1. NixOS</a>
 <ul>
-<li><a href="#orgc40c880">3.2.3.1.1. Personal</a></li>
+<li><a href="#org9037d50">3.2.3.1.1. Personal</a></li>
-<li><a href="#org8b621b6">3.2.3.1.2. Chaostheatre</a></li>
+<li><a href="#org4d186bc">3.2.3.1.2. Chaostheatre</a></li>
-<li><a href="#orgc447ea6">3.2.3.1.3. toto</a></li>
+<li><a href="#orgb6e7397">3.2.3.1.3. toto</a></li>
-<li><a href="#org242a8a7">3.2.3.1.4. Work</a></li>
+<li><a href="#orgb297f59">3.2.3.1.4. Work</a></li>
-<li><a href="#org0af8026">3.2.3.1.5. Framework</a></li>
+<li><a href="#org2faed76">3.2.3.1.5. Framework</a></li>
-<li><a href="#org60114bf">3.2.3.1.6. AMD CPU</a></li>
+<li><a href="#org9900420">3.2.3.1.6. AMD CPU</a></li>
-<li><a href="#org006abd1">3.2.3.1.7. AMD GPU</a></li>
+<li><a href="#org895cc35">3.2.3.1.7. AMD GPU</a></li>
-<li><a href="#org8b4acf6">3.2.3.1.8. Hibernation</a></li>
+<li><a href="#org39be1cf">3.2.3.1.8. Hibernation</a></li>
-<li><a href="#orgc6b961c">3.2.3.1.9. BTRFS</a></li>
+<li><a href="#org7672d00">3.2.3.1.9. BTRFS</a></li>
-<li><a href="#orgb72a5aa">3.2.3.1.10. Local Server</a></li>
+<li><a href="#org1bda8d7">3.2.3.1.10. Local Server</a></li>
-<li><a href="#org37ce6f2">3.2.3.1.11. OCI Sync Server</a></li>
+<li><a href="#org17d23c6">3.2.3.1.11. OCI Sync Server</a></li>
 </ul>
 </li>
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.2.3.2. home-manager</a>
 <ul>
-<li><a href="#orgb37c738">3.2.3.2.1. Personal</a></li>
+<li><a href="#org47e7345">3.2.3.2.1. Personal</a></li>
-<li><a href="#orgbf3722f">3.2.3.2.2. Chaostheatre</a></li>
+<li><a href="#orgcc5e0f5">3.2.3.2.2. Chaostheatre</a></li>
-<li><a href="#orgd8744f7">3.2.3.2.3. toto</a></li>
+<li><a href="#org3185dd7">3.2.3.2.3. toto</a></li>
-<li><a href="#org2e6004c">3.2.3.2.4. Work</a></li>
+<li><a href="#org061d35f">3.2.3.2.4. Work</a></li>
-<li><a href="#orgd69a7ed">3.2.3.2.5. Framework</a></li>
+<li><a href="#org367969f">3.2.3.2.5. Framework</a></li>
-<li><a href="#orged364f5">3.2.3.2.6. Darwin</a></li>
+<li><a href="#org19a7899">3.2.3.2.6. Darwin</a></li>
-<li><a href="#orge7ba9f2">3.2.3.2.7. Local Server</a></li>
+<li><a href="#org22458da">3.2.3.2.7. Local Server</a></li>
 </ul>
 </li>
 </ul>
@ -379,7 +379,7 @@
 <li><a href="#h:f101daa2-604d-4553-99e2-f64b9c207f51">3.3.1.22.3. enable GVfs</a></li>
 <li><a href="#h:08d213d5-a9f4-4309-8635-ba557b01dc7d">3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL</a></li>
 <li><a href="#h:82fbba41-3a46-4db7-aade-49e4c23fc475">3.3.1.22.5. power-profiles-daemon</a></li>
-<li><a href="#orgf6a9187">3.3.1.22.6. SwayOSD</a></li>
+<li><a href="#org8e440af">3.3.1.22.6. SwayOSD</a></li>
 </ul>
 </li>
 <li><a href="#h:7a89b5e3-b700-4167-8b14-2b8172f33936">3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules</a>
@ -425,12 +425,13 @@
 <li><a href="#h:5afeb311-ab86-4029-be53-2160f6d836c3">3.3.2.18. transmission</a></li>
 <li><a href="#h:ad2787a2-7b1c-4326-aeff-9d8d6c3f591d">3.3.2.19. syncthing</a></li>
 <li><a href="#h:b73ac8bf-b721-4563-9eff-973925c99a39">3.3.2.20. restic</a></li>
-<li><a href="#h:a31c7192-e11d-4a26-915d-1bbc38e373d3">3.3.2.21. monitoring</a></li>
+<li><a href="#h:a31c7192-e11d-4a26-915d-1bbc38e373d3">3.3.2.21. monitoring (Grafana)</a></li>
 <li><a href="#h:23452a18-a0a1-4515-8612-ceb19bb5fc22">3.3.2.22. Jenkins</a></li>
 <li><a href="#h:4e6824bc-c3db-485d-b543-4072e6283b62">3.3.2.23. Emacs elfeed (RSS Server)</a></li>
 <li><a href="#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d">3.3.2.24. FreshRSS</a></li>
 <li><a href="#h:a9965660-4358-4b9a-8c46-d55f28598344">3.3.2.25. forgejo (git server)</a></li>
 <li><a href="#h:cb3f6552-7751-4f9a-b4c7-8d8ba5b255c4">3.3.2.26. Anki Sync Server</a></li>
 <li><a href="#orgeb2a887">3.3.2.27. kanidm</a></li>
 </ul>
 </li>
 <li><a href="#h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47">3.3.3. Darwin</a>
@ -445,11 +446,11 @@
 <li><a href="#h:34db28fb-62f7-4597-a9ff-0de2991a8415">3.3.4.3. VmWare</a></li>
 <li><a href="#h:fa8d9ec4-3e22-458a-9239-859cffe7f55c">3.3.4.4. Auto-login</a></li>
 <li><a href="#h:5c41c4ee-22ca-405b-9e4f-cc4051634edd">3.3.4.5. nswitch-rcm</a></li>
-<li><a href="#org1c6aa69">3.3.4.6. Framework</a></li>
+<li><a href="#org2fd6795">3.3.4.6. Framework</a></li>
-<li><a href="#orge813212">3.3.4.7. AMD CPU</a></li>
+<li><a href="#org28eaeed">3.3.4.7. AMD CPU</a></li>
-<li><a href="#orga04a3e5">3.3.4.8. AMD GPU</a></li>
+<li><a href="#org4c4411c">3.3.4.8. AMD GPU</a></li>
-<li><a href="#org4db606b">3.3.4.9. Hibernation</a></li>
+<li><a href="#org8338221">3.3.4.9. Hibernation</a></li>
-<li><a href="#orgb652890">3.3.4.10. BTRFS</a></li>
+<li><a href="#org952308a">3.3.4.10. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.3.4.11. work</a></li>
 <li><a href="#h:3fc1d301-7bae-4678-9085-d12c23eed8ac">3.3.4.12. Minimal Install</a></li>
 </ul>
@ -498,7 +499,7 @@
 <li><a href="#h:cb812c8a-247c-4ce5-a00c-59332c2f5fb9">3.4.1.29.1. gnome-keyring</a></li>
 <li><a href="#h:be6afd89-9e1e-40b6-8542-5c07a0ab780d">3.4.1.29.2. KDE Connect</a></li>
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.4.1.29.3. Mako</a></li>
-<li><a href="#org490abd7">3.4.1.29.4. SwayOSD</a></li>
+<li><a href="#org978f035">3.4.1.29.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.4.1.29.5. yubikey-touch-detector</a></li>
 </ul>
 </li>
@ -523,7 +524,7 @@
 <ul>
 <li><a href="#h:84fd7029-ecb6-4131-9333-289982f24ffa">3.4.4.1. Gaming</a></li>
 <li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.4.4.2. Work</a></li>
-<li><a href="#org8bce8cc">3.4.4.3. Framework</a></li>
+<li><a href="#orgeba9bdf">3.4.4.3. Framework</a></li>
 </ul>
 </li>
 </ul>
@ -701,7 +702,7 @@
 <ul>
 <li><a href="#h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8">6.1. Server Emacs config</a></li>
 <li><a href="#h:fc64f42f-e7cf-4829-89f6-2d0d58e04f51">6.2. tridactylrc</a></li>
-<li><a href="#orga21e7e2">6.3. tridactyl theme</a></li>
+<li><a href="#org47034b7">6.3. tridactyl theme</a></li>
 <li><a href="#h:77b1c523-5074-4610-b320-90af95e6134d">6.4. Waybar style.css</a></li>
 <li><a href="#h:788937cf-8816-466b-8e57-1b695cb50f52">6.5. justfile</a></li>
 </ul>
@ -710,7 +711,7 @@
 </div>
 </div>
 <p>
-<b>This file has 62779 words spanning 16469 lines and was last revised on 2025-06-09 03:26:38 +0200.</b>
+<b>This file has 63503 words spanning 16708 lines and was last revised on 2025-06-09 12:45:18 +0200.</b>
 </p>
 <p>
@ -763,7 +764,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 03:26:38 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 12:45:18 +0200)
 </p></li>
 </ul>
@ -2802,8 +2803,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the <code>WLR_RENDERER_ALLOW_SOFTWARE=1</code> to allow this configuration to run in a virtualized environment. I also enable <code>qemuGuest</code> for a smoother experience when testing on QEMU.
 </p>
 </div>
-<div id="outline-container-org7d36836" class="outline-6">
+<div id="outline-container-org9b449ff" class="outline-6">
-<h6 id="org7d36836"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
+<h6 id="org9b449ff"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, inputs, config, pkgs, lib, primaryUser, ... }:
@ -2882,8 +2883,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org96e39c3" class="outline-6">
+<div id="outline-container-org10cff1b" class="outline-6">
-<h6 id="org96e39c3"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
+<h6 id="org10cff1b"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-2">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@ -2893,8 +2894,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9944579" class="outline-6">
+<div id="outline-container-org0c539d3" class="outline-6">
-<h6 id="org9944579"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
+<h6 id="org0c539d3"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-3">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@ -4671,8 +4672,8 @@ appimageTools.wrapType2 {
 </div>
 </div>
 </div>
-<div id="outline-container-org7169988" class="outline-5">
+<div id="outline-container-orgda3c026" class="outline-5">
-<h5 id="org7169988"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
+<h5 id="orgda3c026"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
 <div class="outline-text-5" id="text-3-2-1-30">
 <p>
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@ -4829,8 +4830,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-orgc40c880" class="outline-6">
+<div id="outline-container-org9037d50" class="outline-6">
-<h6 id="orgc40c880"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
+<h6 id="org9037d50"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-1-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -4897,8 +4898,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org8b621b6" class="outline-6">
+<div id="outline-container-org4d186bc" class="outline-6">
-<h6 id="org8b621b6"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
+<h6 id="org4d186bc"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-1-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -4962,8 +4963,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc447ea6" class="outline-6">
+<div id="outline-container-orgb6e7397" class="outline-6">
-<h6 id="orgc447ea6"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
+<h6 id="orgb6e7397"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-1-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -4995,8 +4996,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org242a8a7" class="outline-6">
+<div id="outline-container-orgb297f59" class="outline-6">
-<h6 id="org242a8a7"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
+<h6 id="orgb297f59"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-1-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5017,8 +5018,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0af8026" class="outline-6">
+<div id="outline-container-org2faed76" class="outline-6">
-<h6 id="org0af8026"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
+<h6 id="org2faed76"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-1-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5039,8 +5040,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org60114bf" class="outline-6">
+<div id="outline-container-org9900420" class="outline-6">
-<h6 id="org60114bf"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
+<h6 id="org9900420"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5061,8 +5062,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org006abd1" class="outline-6">
+<div id="outline-container-org895cc35" class="outline-6">
-<h6 id="org006abd1"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
+<h6 id="org895cc35"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5083,8 +5084,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org8b4acf6" class="outline-6">
+<div id="outline-container-org39be1cf" class="outline-6">
-<h6 id="org8b4acf6"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
+<h6 id="org39be1cf"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
 <div class="outline-text-6" id="text-3-2-3-1-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5105,8 +5106,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc6b961c" class="outline-6">
+<div id="outline-container-org7672d00" class="outline-6">
-<h6 id="orgc6b961c"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
+<h6 id="org7672d00"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
 <div class="outline-text-6" id="text-3-2-3-1-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5127,8 +5128,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb72a5aa" class="outline-6">
+<div id="outline-container-org1bda8d7" class="outline-6">
-<h6 id="orgb72a5aa"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
+<h6 id="org1bda8d7"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5169,6 +5170,7 @@ in
          emacs = lib.mkDefault true;
          freshrss = lib.mkDefault true;
          jenkins = lib.mkDefault false;
          kanidm = lib.mkDefault true;
        };
      };
    };
@ -5180,8 +5182,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org37ce6f2" class="outline-6">
+<div id="outline-container-org17d23c6" class="outline-6">
-<h6 id="org37ce6f2"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
+<h6 id="org17d23c6"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-11">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5238,8 +5240,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-orgb37c738" class="outline-6">
+<div id="outline-container-org47e7345" class="outline-6">
-<h6 id="orgb37c738"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
+<h6 id="org47e7345"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-2-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5296,8 +5298,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgbf3722f" class="outline-6">
+<div id="outline-container-orgcc5e0f5" class="outline-6">
-<h6 id="orgbf3722f"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
+<h6 id="orgcc5e0f5"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-2-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5349,8 +5351,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgd8744f7" class="outline-6">
+<div id="outline-container-org3185dd7" class="outline-6">
-<h6 id="orgd8744f7"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
+<h6 id="org3185dd7"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-2-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5370,8 +5372,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2e6004c" class="outline-6">
+<div id="outline-container-org061d35f" class="outline-6">
-<h6 id="org2e6004c"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
+<h6 id="org061d35f"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-2-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5391,8 +5393,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgd69a7ed" class="outline-6">
+<div id="outline-container-org367969f" class="outline-6">
-<h6 id="orgd69a7ed"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
+<h6 id="org367969f"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-2-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5413,8 +5415,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orged364f5" class="outline-6">
+<div id="outline-container-org19a7899" class="outline-6">
-<h6 id="orged364f5"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
+<h6 id="org19a7899"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
 <div class="outline-text-6" id="text-3-2-3-2-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5432,8 +5434,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orge7ba9f2" class="outline-6">
+<div id="outline-container-org22458da" class="outline-6">
-<h6 id="orge7ba9f2"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
+<h6 id="org22458da"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-2-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -6966,8 +6968,8 @@ Most of the time I am using <code>power-saver</code>, however, it is good to be
 </div>
 </div>
 </div>
-<div id="outline-container-orgf6a9187" class="outline-6">
+<div id="outline-container-org8e440af" class="outline-6">
-<h6 id="orgf6a9187"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
+<h6 id="org8e440af"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-3-1-22-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, pkgs, config, ... }:
@ -8673,7 +8675,9 @@ in
      port = 3001;
      openFirewall = true;
      mediaLocation = "/Vault/Eternor/Immich";
-      environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
+      environment = {
        IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
      };
    };
@ -8715,7 +8719,7 @@ in
 <h5 id="h:89638fb5-0593-4420-9567-f85f0223e341"><span class="section-number-5">3.3.2.17.</span> paperless</h5>
 <div class="outline-text-5" id="text-h:89638fb5-0593-4420-9567-f85f0223e341">
 <div class="org-src-container">
-<pre class="src src-nix">{ lib, config, ... }:
+<pre class="src src-nix">{ lib, pkgs, config, ... }:
 {
  options.swarselsystems.modules.server.paperless = lib.mkEnableOption "enable paperless on server";
  config = lib.mkIf config.swarselsystems.modules.server.paperless {
@ -8724,8 +8728,14 @@ in
      extraGroups = [ "users" ];
    };
-
+    sops.secrets = {
-    sops.secrets.paperless_admin = { owner = "paperless"; };
+      paperless_admin = { owner = "paperless"; };
      kanidm-paperless-client = {
        owner = "paperless";
        group = "paperless";
        mode = "440";
      };
    };
    services.paperless = {
      enable = true;
@ -8743,8 +8753,34 @@ in
          invalidate_digital_signatures = true;
          pdfa_image_compression = "lossless";
        };
        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
        PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
          openid_connect = {
            OAUTH_PKCE_ENABLED = "True";
            APPS = [
              rec {
                provider_id = "kanidm";
                name = "Kanidm";
                client_id = "paperless";
                # secret will be added dynamically
                #secret = "";
                settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
              }
            ];
          };
        };
      };
    };
    # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
    systemd.services.paperless-web.script = lib.mkBefore ''
      oidcSecret=$(&lt; ${config.sops.secrets.kanidm-paperless-client.path})
      export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
        ${pkgs.jq}/bin/jq &lt;&lt;&lt; "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
          --compact-output \
          --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
                     )
    '';
    services.nginx = {
      virtualHosts = {
@ -9104,7 +9140,7 @@ in
 </div>
 </div>
 <div id="outline-container-h:a31c7192-e11d-4a26-915d-1bbc38e373d3" class="outline-5">
-<h5 id="h:a31c7192-e11d-4a26-915d-1bbc38e373d3"><span class="section-number-5">3.3.2.21.</span> monitoring</h5>
+<h5 id="h:a31c7192-e11d-4a26-915d-1bbc38e373d3"><span class="section-number-5">3.3.2.21.</span> monitoring (Grafana)</h5>
 <div class="outline-text-5" id="text-h:a31c7192-e11d-4a26-915d-1bbc38e373d3">
 <p>
 This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need.
@ -9112,6 +9148,9 @@ This section exposes several metrics that I use to check the health of my server
 <div class="org-src-container">
 <pre class="src src-nix">{ self, lib, config, ... }:
 let
  grafanaDomain = "status.swarsel.win";
 in
 {
  options.swarselsystems.modules.server.monitoring = lib.mkEnableOption "enable monitoring on server";
  config = lib.mkIf config.swarselsystems.modules.server.monitoring {
@ -9123,6 +9162,11 @@ This section exposes several metrics that I use to check the health of my server
      prometheusadminpass = {
        owner = "grafana";
      };
      kanidm-grafana-client = {
        owner = "grafana";
        group = "grafana";
        mode = "440";
      };
    };
    users = {
@ -9148,7 +9192,7 @@ This section exposes several metrics that I use to check the health of my server
              {
                name = "prometheus";
                type = "prometheus";
-                url = "https://status.swarsel.win/prometheus";
+                url = "https://${grafanaDomain}/prometheus";
                editable = false;
                access = "proxy";
                basicAuth = true;
@ -9173,10 +9217,30 @@ This section exposes several metrics that I use to check the health of my server
        settings = {
          security.admin_password = "$__file{/run/secrets/grafanaadminpass}";
          server = {
            domain = grafanaDomain;
            root_url = "https://${grafanaDomain}";
            http_port = 3000;
-            http_addr = "127.0.0.1";
+            http_addr = "0.0.0.0";
            protocol = "http";
-            domain = "status.swarsel.win";
+          };
          "auth.generic_oauth" = {
            enabled = true;
            name = "Kanidm";
            icon = "signin";
            allow_sign_up = true;
            #auto_login = true;
            client_id = "grafana";
            client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}";
            scopes = "openid email profile";
            login_attribute_path = "preferred_username";
            auth_url = "https://sso.swarsel.win/ui/oauth2";
            token_url = "https://sso.swarsel.win/oauth2/token";
            api_url = "https://sso.swarsel.win/oauth2/openid/grafana/userinfo";
            use_pkce = true;
            use_refresh_token = true;
            # Allow mapping oauth2 roles to server admin
            allow_assign_grafana_admin = true;
            role_attribute_path = "contains(groups[*], 'server_admin') &amp;&amp; 'GrafanaAdmin' || contains(groups[*], 'admin') &amp;&amp; 'Admin' || contains(groups[*], 'editor') &amp;&amp; 'Editor' || 'Viewer'";
          };
        };
      };
@ -9260,6 +9324,7 @@ This section exposes several metrics that I use to check the health of my server
            locations = {
              "/" = {
                proxyPass = "http://localhost:3000";
                proxyWebsockets = true;
                extraConfig = ''
                  client_max_body_size 0;
                '';
@ -9516,6 +9581,184 @@ It serves both a Greader API at <a href="https://signpost.swarsel.win/api/greade
 </div>
 </div>
 </div>
 <div id="outline-container-orgeb2a887" class="outline-5">
 <h5 id="orgeb2a887"><span class="section-number-5">3.3.2.27.</span> kanidm</h5>
 <div class="outline-text-5" id="text-3-3-2-27">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, lib, pkgs, config, ... }:
 let
  certsSopsFile = self + /secrets/certs/secrets.yaml;
  kanidmDomain = "sso.swarsel.win";
  kanidmPort = 8300;
 in
 {
  options.swarselsystems.modules.server.kanidm = lib.mkEnableOption "enable kanidm on server";
  config = lib.mkIf config.swarselsystems.modules.server.kanidm {
    users.users.kanidm = {
      group = "kanidm";
      isSystemUser = true;
    };
    users.groups.kanidm = { };
    sops.secrets = {
      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
    };
    services.kanidm = {
      package = pkgs.kanidmWithSecretProvisioning;
      enableServer = true;
      serverSettings = {
        domain = kanidmDomain;
        origin = "https://${kanidmDomain}";
        tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
        tls_key = config.sops.secrets.kanidm-self-signed-key.path;
        bindaddress = "0.0.0.0:${toString kanidmPort}";
        trust_x_forward_for = true;
      };
      enableClient = true;
      clientSettings = {
        uri = config.services.kanidm.serverSettings.origin;
        verify_ca = true;
        verify_hostnames = true;
      };
      provision = {
        enable = true;
        adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
        idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
        groups = {
          "immich.access" = { };
          "paperless.access" = { };
          "forgejo.access" = { };
          "forgejo.admins" = { };
          "grafana.access" = { };
          "grafana.editors" = { };
          "grafana.admins" = { };
          "grafana.server-admins" = { };
        };
        persons = {
          swarsel = {
            present = true;
            mailAddresses = [ "leon@swarsel.win" ];
            legalName = "Leon Schwarzäugl";
            groups = [
              "immich.access"
              "paperless.access"
              "grafana.access"
              "forgejo.access"
            ];
            displayName = "Swarsel";
          };
        };
        systems = {
          oauth2 = {
            immich = {
              displayName = "Immich";
              originUrl = [
                "https://shots.swarsel.win/auth/login"
                "https://shots.swarsel.win/user-settings"
                "app.immich:///oauth-callback"
                "https://shots.swarsel.win/api/oauth/mobile-redirect"
              ];
              originLanding = "https://shots.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-immich.path;
              preferShortUsername = true;
              enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
              scopeMaps."immich.access" = [
                "openid"
                "email"
                "profile"
              ];
            };
            paperless = {
              displayName = "Paperless";
              originUrl = "https://scan.swarsel.win/accounts/oidc/kanidm/login/callback/";
              originLanding = "https://scan.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-paperless.path;
              preferShortUsername = true;
              scopeMaps."paperless.access" = [
                "openid"
                "email"
                "profile"
              ];
            };
            forgejo = {
              displayName = "Forgejo";
              originUrl = "https://swagit.swarsel.win/user/oauth2/kanidm/callback";
              originLanding = "https://swagit.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
              scopeMaps."forgejo.access" = [
                "openid"
                "email"
                "profile"
              ];
              # XXX: PKCE is currently not supported by gitea/forgejo,
              # see https://github.com/go-gitea/gitea/issues/21376.
              allowInsecureClientDisablePkce = true;
              preferShortUsername = true;
              claimMaps.groups = {
                joinType = "array";
                valuesByGroup."forgejo.admins" = [ "admin" ];
              };
            };
            grafana = {
              displayName = "Grafana";
              originUrl = "https://status.swarsel.win/login/generic_oauth";
              originLanding = "https://status.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-grafana.path;
              preferShortUsername = true;
              scopeMaps."grafana.access" = [
                "openid"
                "email"
                "profile"
              ];
              claimMaps.groups = {
                joinType = "array";
                valuesByGroup = {
                  "grafana.editors" = [ "editor" ];
                  "grafana.admins" = [ "admin" ];
                  "grafana.server-admins" = [ "server_admin" ];
                };
              };
            };
          };
        };
      };
    };
    systemd.services.kanidm.serviceConfig.RestartSec = "30";
    services.nginx = {
      virtualHosts = {
        "sso.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "https://localhost:${toString kanidmPort}";
            };
          };
          extraConfig = ''
            proxy_ssl_verify off;
          '';
        };
      };
    };
  };
 }
 </pre>
 </div>
 </div>
 </div>
 </div>
 <div id="outline-container-h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47" class="outline-4">
 <h4 id="h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47"><span class="section-number-4">3.3.3.</span> Darwin</h4>
@ -9728,8 +9971,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 </div>
 </div>
 </div>
-<div id="outline-container-org1c6aa69" class="outline-5">
+<div id="outline-container-org2fd6795" class="outline-5">
-<h5 id="org1c6aa69"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
+<h5 id="org2fd6795"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-3-4-6">
 <p>
 This holds configuration that is specific to framework laptops.
@ -9767,8 +10010,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orge813212" class="outline-5">
+<div id="outline-container-org28eaeed" class="outline-5">
-<h5 id="orge813212"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
+<h5 id="org28eaeed"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
 <div class="outline-text-5" id="text-3-3-4-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -9784,8 +10027,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orga04a3e5" class="outline-5">
+<div id="outline-container-org4c4411c" class="outline-5">
-<h5 id="orga04a3e5"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
+<h5 id="org4c4411c"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
 <div class="outline-text-5" id="text-3-3-4-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -9807,8 +10050,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org4db606b" class="outline-5">
+<div id="outline-container-org8338221" class="outline-5">
-<h5 id="org4db606b"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
+<h5 id="org8338221"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
 <div class="outline-text-5" id="text-3-3-4-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -9839,8 +10082,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb652890" class="outline-5">
+<div id="outline-container-org952308a" class="outline-5">
-<h5 id="orgb652890"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
+<h5 id="org952308a"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
 <div class="outline-text-5" id="text-3-3-4-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -12788,8 +13031,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org490abd7" class="outline-6">
+<div id="outline-container-org978f035" class="outline-6">
-<h6 id="org490abd7"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
+<h6 id="org978f035"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-4-1-29-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -14038,8 +14281,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org8bce8cc" class="outline-5">
+<div id="outline-container-orgeba9bdf" class="outline-5">
-<h5 id="org8bce8cc"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
+<h5 id="orgeba9bdf"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-4-4-3">
 <p>
 This holds configuration that is specific to framework laptops.
@ -17879,8 +18122,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
 </div>
 </div>
 </div>
-<div id="outline-container-orga21e7e2" class="outline-3">
+<div id="outline-container-org47034b7" class="outline-3">
-<h3 id="orga21e7e2"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
+<h3 id="org47034b7"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
 <div class="outline-text-3" id="text-6-3">
 <div class="org-src-container">
 <pre class="src src-config">
@ -18377,7 +18620,7 @@ sync USER HOST:
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-06-09 Mo 03:26</p>
+<p class="date">Created: 2025-06-09 Mo 12:45</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
--- a/modules/nixos/server/immich.nix
+++ b/modules/nixos/server/immich.nix
@ -14,7 +14,9 @@
      port = 3001;
      openFirewall = true;
      mediaLocation = "/Vault/Eternor/Immich";
-      environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
+      environment = {
        IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
      };
    };
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@ -0,0 +1,170 @@
 { self, lib, pkgs, config, ... }:
 let
  certsSopsFile = self + /secrets/certs/secrets.yaml;
  kanidmDomain = "sso.swarsel.win";
  kanidmPort = 8300;
 in
 {
  options.swarselsystems.modules.server.kanidm = lib.mkEnableOption "enable kanidm on server";
  config = lib.mkIf config.swarselsystems.modules.server.kanidm {
    users.users.kanidm = {
      group = "kanidm";
      isSystemUser = true;
    };
    users.groups.kanidm = { };
    sops.secrets = {
      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
    };
    services.kanidm = {
      package = pkgs.kanidmWithSecretProvisioning;
      enableServer = true;
      serverSettings = {
        domain = kanidmDomain;
        origin = "https://${kanidmDomain}";
        tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
        tls_key = config.sops.secrets.kanidm-self-signed-key.path;
        bindaddress = "0.0.0.0:${toString kanidmPort}";
        trust_x_forward_for = true;
      };
      enableClient = true;
      clientSettings = {
        uri = config.services.kanidm.serverSettings.origin;
        verify_ca = true;
        verify_hostnames = true;
      };
      provision = {
        enable = true;
        adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
        idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
        groups = {
          "immich.access" = { };
          "paperless.access" = { };
          "forgejo.access" = { };
          "forgejo.admins" = { };
          "grafana.access" = { };
          "grafana.editors" = { };
          "grafana.admins" = { };
          "grafana.server-admins" = { };
        };
        persons = {
          swarsel = {
            present = true;
            mailAddresses = [ "leon@swarsel.win" ];
            legalName = "Leon Schwarzäugl";
            groups = [
              "immich.access"
              "paperless.access"
              "grafana.access"
              "forgejo.access"
            ];
            displayName = "Swarsel";
          };
        };
        systems = {
          oauth2 = {
            immich = {
              displayName = "Immich";
              originUrl = [
                "https://shots.swarsel.win/auth/login"
                "https://shots.swarsel.win/user-settings"
                "app.immich:///oauth-callback"
                "https://shots.swarsel.win/api/oauth/mobile-redirect"
              ];
              originLanding = "https://shots.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-immich.path;
              preferShortUsername = true;
              enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
              scopeMaps."immich.access" = [
                "openid"
                "email"
                "profile"
              ];
            };
            paperless = {
              displayName = "Paperless";
              originUrl = "https://scan.swarsel.win/accounts/oidc/kanidm/login/callback/";
              originLanding = "https://scan.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-paperless.path;
              preferShortUsername = true;
              scopeMaps."paperless.access" = [
                "openid"
                "email"
                "profile"
              ];
            };
            forgejo = {
              displayName = "Forgejo";
              originUrl = "https://swagit.swarsel.win/user/oauth2/kanidm/callback";
              originLanding = "https://swagit.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
              scopeMaps."forgejo.access" = [
                "openid"
                "email"
                "profile"
              ];
              # XXX: PKCE is currently not supported by gitea/forgejo,
              # see https://github.com/go-gitea/gitea/issues/21376.
              allowInsecureClientDisablePkce = true;
              preferShortUsername = true;
              claimMaps.groups = {
                joinType = "array";
                valuesByGroup."forgejo.admins" = [ "admin" ];
              };
            };
            grafana = {
              displayName = "Grafana";
              originUrl = "https://status.swarsel.win/login/generic_oauth";
              originLanding = "https://status.swarsel.win/";
              basicSecretFile = config.sops.secrets.kanidm-grafana.path;
              preferShortUsername = true;
              scopeMaps."grafana.access" = [
                "openid"
                "email"
                "profile"
              ];
              claimMaps.groups = {
                joinType = "array";
                valuesByGroup = {
                  "grafana.editors" = [ "editor" ];
                  "grafana.admins" = [ "admin" ];
                  "grafana.server-admins" = [ "server_admin" ];
                };
              };
            };
          };
        };
      };
    };
    systemd.services.kanidm.serviceConfig.RestartSec = "30";
    services.nginx = {
      virtualHosts = {
        "sso.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
          locations = {
            "/" = {
              proxyPass = "https://localhost:${toString kanidmPort}";
            };
          };
          extraConfig = ''
            proxy_ssl_verify off;
          '';
        };
      };
    };
  };
 }
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@ -1,4 +1,7 @@
 { self, lib, config, ... }:
 let
  grafanaDomain = "status.swarsel.win";
 in
 {
  options.swarselsystems.modules.server.monitoring = lib.mkEnableOption "enable monitoring on server";
  config = lib.mkIf config.swarselsystems.modules.server.monitoring {
@ -10,6 +13,11 @@
      prometheusadminpass = {
        owner = "grafana";
      };
      kanidm-grafana-client = {
        owner = "grafana";
        group = "grafana";
        mode = "440";
      };
    };
    users = {
@ -35,7 +43,7 @@
              {
                name = "prometheus";
                type = "prometheus";
-                url = "https://status.swarsel.win/prometheus";
+                url = "https://${grafanaDomain}/prometheus";
                editable = false;
                access = "proxy";
                basicAuth = true;
@ -60,10 +68,30 @@
        settings = {
          security.admin_password = "$__file{/run/secrets/grafanaadminpass}";
          server = {
            domain = grafanaDomain;
            root_url = "https://${grafanaDomain}";
            http_port = 3000;
-            http_addr = "127.0.0.1";
+            http_addr = "0.0.0.0";
            protocol = "http";
-            domain = "status.swarsel.win";
+          };
          "auth.generic_oauth" = {
            enabled = true;
            name = "Kanidm";
            icon = "signin";
            allow_sign_up = true;
            #auto_login = true;
            client_id = "grafana";
            client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}";
            scopes = "openid email profile";
            login_attribute_path = "preferred_username";
            auth_url = "https://sso.swarsel.win/ui/oauth2";
            token_url = "https://sso.swarsel.win/oauth2/token";
            api_url = "https://sso.swarsel.win/oauth2/openid/grafana/userinfo";
            use_pkce = true;
            use_refresh_token = true;
            # Allow mapping oauth2 roles to server admin
            allow_assign_grafana_admin = true;
            role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'";
          };
        };
      };
@ -147,6 +175,7 @@
            locations = {
              "/" = {
                proxyPass = "http://localhost:3000";
                proxyWebsockets = true;
                extraConfig = ''
                  client_max_body_size 0;
                '';
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, pkgs, config, ... }:
 {
  options.swarselsystems.modules.server.paperless = lib.mkEnableOption "enable paperless on server";
  config = lib.mkIf config.swarselsystems.modules.server.paperless {
@ -7,8 +7,14 @@
      extraGroups = [ "users" ];
    };
-
+    sops.secrets = {
-    sops.secrets.paperless_admin = { owner = "paperless"; };
+      paperless_admin = { owner = "paperless"; };
      kanidm-paperless-client = {
        owner = "paperless";
        group = "paperless";
        mode = "440";
      };
    };
    services.paperless = {
      enable = true;
@ -26,8 +32,34 @@
          invalidate_digital_signatures = true;
          pdfa_image_compression = "lossless";
        };
        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
        PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
          openid_connect = {
            OAUTH_PKCE_ENABLED = "True";
            APPS = [
              rec {
                provider_id = "kanidm";
                name = "Kanidm";
                client_id = "paperless";
                # secret will be added dynamically
                #secret = "";
                settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
              }
            ];
          };
        };
      };
    };
    # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
    systemd.services.paperless-web.script = lib.mkBefore ''
      oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
      export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
        ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
          --compact-output \
          --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
                     )
    '';
    services.nginx = {
      virtualHosts = {
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@ -36,6 +36,7 @@
          emacs = lib.mkDefault true;
          freshrss = lib.mkDefault true;
          jenkins = lib.mkDefault false;
          kanidm = lib.mkDefault true;
        };
      };
    };
--- a/secrets/certs/secrets.yaml
+++ b/secrets/certs/secrets.yaml
@ -1,10 +1,8 @@
 sweden-aes-128-cbc-udp-dns-crl-verify.pem: ENC[AES256_GCM,data:5je4QCI3aR6jpE0O+0ssm/ZxrrgNL62XFF9XIh3mkwSKOMq3vz9H4xsDbDjnKxnZdMi7ogIEtAizbga7kuhyD3CuPlFX08poVFvALbjG95bdblphUQpKx2AN1wxpKUjLlt9DsU9sjdtCkVB8NEMwt9+CyJzyvT7ZgJYemM47Ts1gxlKvo4Vh5lHrpUWJ9Q0lHwW1J0PrAe5EBTkVc4/StdhKRgKAYnQKCAfVdrNe5SHSIqqjGvb3+5fjnwwIRE/5g6Zmn6nSpbsD7XNMDdrS1aPMLylY02sTd9BF6ZTfw2AqYbr9WSzTmMoc0Z1gMmwQX22rgvjuq0rf38Mx4TQRCCC2dPNnmSxQa5eyYfIKp3Y71Mnp07c1AVYQDOq/8Db71gapavudIV2F/iIOeJKpHmGB2HvI1bVKYfvccOdyVPZu3T+qrBHrr6kj0+PJed27tihMbVKkPTELwQJFFTAtQJcG/F2W6WEaYgu4ap51cGXOMm4SF2ANL+bSSl8mQcyOU/N69WXbfKFpHO4tV+me1lnuJwl/YcukZnzqrYvA0BwrfNHnIyyApUyqB2cLxLAJ6cH2ixceNC22j5P8s2DBBan68NJFewTqgEoyPJdbtBvHTVRM0CRHekGBjtUznwrB74iXI/BvddfAWk006f6vbja2IJ1BcE9GHG74ZEYUIag5BErQ6Rds2+pBnr+xh9wjJsYeLLiKATkvjM/4pCND+RwKLpHNlyUxw7mBeJJAsfE4EZC8ZP5Mb8bq0G2Suxe20YgIWvx4M2RskJlAX/XJcQSJqLBVb29altiOiVEcdzZRDpGPqJwPr0iWGSQuXJ2VOZFRyqRu2JxFa/DCnxVyk9fbqTMKnh7jROdh7gS7++1MGrdzg/hJw9Q0uD1bLVo472i4s2wJqt/VYYc+/3UHR0kmt2ftSiux/lSb/+gmGk5onOyWZKLmkFEYG++MJVRksXTjn1xnFT1CFmQ8c+/qWUqSmcbHuAg2btCzlpuOuANYSRmmMbFTTkMkYjKDRKrQD/CmbW52cVUIm93WuELQIJ1Ri02XVM2pwoZfnKr3VY0y4yLXSylWLnXJDydDZv0ZmfU9Gyi77M88VCzYlQX6SSpRJ/r+cjdscauXzxo4BNVxjRgvNGOe4DkAeKXy50N79sw/WMY=,iv:b4QKl9Qr2reO3kgZ4Ls1vKyz5tKAP93s9pZe4UihwW4=,tag:Xe5jcylBt4D2jhc+ZkCRWw==,type:str]
 sweden-aes-128-cbc-udp-dns-ca.pem: ENC[AES256_GCM,data:G2IiEee0cVH/7fZbaGDiyyE4iphqlhsLCaWOwznl11k/rDximnc8B1y3vT9C7eZcQ9Cj0XB9C5tzeVP3Cqhq4wxOP5bqDCYvoBG6ZzMxsDXM9OcvWe6Cxv94C+t7bHwL89yroDhfz08I/YMiCc0HGXTlf1aAVyD0NBh+LM20Q3Bh1Xhpl3gITf1Xs7BJxpHDXCAEku7ufnIxZb4aTWwWn4DGG6NmzQt2we39/pW17s7/1rM7Jo6BljfqmMBLyLry004tn1tvzXjqOY64SLl0h4ufLrAIFoxg+nsnc4ymNYTuR/4eh0JzeJaNNSqZjXT7aVhTKV36HRV9vMkXIHCC83kfHLU9rB8gtb9b+pPDaSDO25yYaNS1+VkMEZNRtpq9A3Nag25z2qpIOVfRLZgIj4ScWsD+5PIwRnwn9M+hRGfYsblhf1fYtYUQnByl5K4Lh/MycMFdp8JKJMedVKRzlHNhWqDqu1zpiYTFK5wiZ+PJVshh4zzIaFbvmrHZINzVsAmhNGQBptUW2oFe+Py/c1zGpWJkZ4fk4PlhppiQ5zr4r82p3fFK0JtbSbAhprzUkgwu2nPwzFcplKDGlT/a4FpmUgYjIgNEWRjBDqk8hrMLgHayiQaZ3D2EH5FlWiKpO+kx/np/hPj7gIPMs+5IDGtFfMESlJ+wM7bxZOkk0DyNvfJkPBlJa7d8imv7XIw9hTu5ii8cfqha1rBfx8P1hy9kSq5kGqO8x8NA50Ynktrl7uu/qLJiUkSdR3bdfakWXid8wjh79saY1OXc83cooCW9DRNuFP9+murzbA+hYXvc6dr5fFvsk5mH6oVzqudgFD1UD6s16+9xwN39Z0qVloLpaZbUN5Jbl83Y0MxhzeNOL1cu2fGx8O2Pt7XsmhMs+RstGIORSjFPiGkVT3ejUJ9icIMcTVkzvT+8lW97purrJqmMUmuUEtReLFYdt8NNSLVpyZdVWhnuLlUbO05HzAOUgqKmcLoK8eTJlTkkB3qlB4LtjUKvaLKm2HD5hV3RUiEoec3rQhRsOjXox92iIdct3l2YK7TWU+xxZoM2PlajWfDVm88r+jUhckUmIuZaGNAyGWFtju3de/x1vvdsSvkjibV1eh8w1CKNU3rC38eTdLLMpAgpel/KsHk9+GyHOg/LOocUeb5BDb7NE34SHpC8LTUCYq7mh3PbyoDGkErmi4OI2qSrZzaONUcU1/nBOXYyixPfhZqa47mCTd6Czcc7d7izI+c06UXvd1lxyxDZoIpBYoIBgKBNuSE6Ek83PHx2eShI5PIZ5o+R1TbR+LRYkYLJLyxQbiFL6SIRMngTNHvSFlbTIB1RXxBhTO6RX/dBt1ZM08Ga6NCgpSbsRiuFGOS54TSi9s54b1DCWgNs3CDAoFAtkvWWr0N9uk3IvcxpDMpR5Tw5DmKk21I/gsRWfQqr3bUYcI95upQ0N6Z7li3vjUwQd7mQ7vOzteKjZitAa0VBr8gfz7DOYXJaRfzFkcdZS54O/dWCr2N8A0CcgXfUEpXanc7JR7qiYwqv4GJZ47ZcjD5uVwqbrcdXj97v4LBV+zYf49LBq2OwqssgOJ2F3N9j2PR7x4+O3Xp4aw7V7pLii4/W/LxBED++b3dUvIX2+Mv19mpU5GIX+EyXLe1Ds6pEHFW3mbKEBOdPv5iQML2qhCIsjfw6v8Flge0xaK/Ex+LY/zBtIFv4rMpDVwtkDBYEeQAmSAFPLoPxz+l7Q7xkVbgnW1vwHqt7fZ9zhoTU26y00nX/B74rLxTNLoHcoyoErmpuAJeg+53P9vvXj0F7lx5EgQaybckgx8svhrWpX+BlrZXz9clTp9DGZsZg+Uy7k5/Fc3sFZ7Y4Vatwx2e3SH6vV3g15BLjEbnM3a7e3TfUKGxUVi7bZG2Z5z+9w3aF1zuAH/tZZNO4Dgv7PoGtU4/uxzzW88dPMH+oU9M/LueepyAtIJ/AbH8b5GMCl9/TiWUsP3FZlhuDH9hf2bHaZ2Vv5trj9Y31C87RbLKGueOfY6S7GyQXbHuEygZqxI+4OPw1oBcPHh/+7twL5ltLZj/NUQSjGKcoxHhTvOoE8pjNNTDtMX9WHqiyCiy8mM7qEuSdXm48UwFB0R897kYZoa5mZoSgj3WfjkqY2yu8wmXQx2ArSeHxF/9u88+d90pRgF9LcjLzO76/aGqlkbitBCOF7wtNuMj9mAYr84Yp4/PeNxPTiYaG0hj2ysjZhL8awnt5Ua6O83TPY8obU7G98xeYO5dl4B62TbdXwrqO+0NH0k0VZWEHA1TQbbn3DKXgWl1ehr6qKZKo+vuKzUFgjEU7EKIjnuXlv5AHsdsbKul1x4mtN0lGRGpc8xB0EzFfsxRzkb8LBjZjm13HsD54KayEnZHVKtKscMAYf1+VzasHLAQJzLXQNrSTqsfknhWZ0bkRdBr5bT+4V0mU3G02Us4WqhlBfGuuot5K5z+OUy0rsC1uvgl92Q6wR/a44ikPs4b60wyRYlxStfAPM3Kqw3hQAdAw5fpPT54yE5eHF9kU3zdo2XMKhxmhV2+i1eHauPCp88xEVTNLiR22rSDwoYMdDikZIyihdWH8dZfpq2bbCDnCscAuELJD3H0+3nFeM3RvtMx+l4ySSD3cj9tyhSwKTvvvPzsbanlo0S/82LJU5hDaM9C2vDtl/EYSsYN216J0hpxDTMwZQQ5NN2JNI1qm,iv:DcPiMfGUlnOZXuULOujLhY1qhN5sUbpWX25bexN3OKc=,tag:/i7U8WVqlFdP4DGwx7SxKA==,type:str]
 kanidm-self-signed-crt: ENC[AES256_GCM,data:1+dM8NdsKcuqlCAbQBF7+gnVbeKbc6Gtr9AaBId/ehJjHDkHm4Ptg2pVSvkapjJE5TKTAOWF17lRuKgVpCfPxATBUu6RCrvnJHRcUyQiS9wuGRAlQBWICv2ygtfx6ODGaBuLEzAulxGHT69UG7IgB7XH6bPPqTNDPKduRw35KMYMpCsH/9kVpIAWp5r0hCDL9zGUnBrGyclpdwDtbowW0j5qOoCYrcj2OvQMzr9gNvOLKiIaEBnXV95WkSUbt9RSrE476Ib4uH3aXtoWkkGeZTEiFXAhf8cqVV2xP2tpJWEgl781L9Gno6D7r3A/doF8wA9GSByS4IdOJqUpEHK1+6Txl0WrkK/h9LEqHrIaTgyzz35wMXlVeBFYFsmrmZZCZHsIaPhHRoAJxfzxrz/kThBsfhaH8G5QiiRtn8DZynopSPSj5XEsN8tZvWARfiNvNLEH9RKZgtyodoxIc6+jGCQl2Pg2oKP7YWb7Xza/zVN8ZKF2dpHzPrrxUObu275Tte9PiOXKvHVSlcBZsqom6Cd8WaI0Cwsd46sZUo0nV1FBAPyYAf329D1yauwF0S+SsHR+wQxo7pAigVjTpp3CwwiKUBhf4Pnov646+idXZNbPpAHDkhuaQM1JXkxo8EFYR13lIYvlSnPC8YwzSYHyMhV9h7GZKwUwC8988Jn1vxA1Iju7s2biJMndWT0z4522iMx6Quy7Imn78Pq4V5gYanuaDiDOJyD8na18l3BNdU8+Y+8d0hM55FlquypeR+fdp9DhGQToQb6RJzMFVurvtQIvDJzyciNbx/ha+OthI1IflhiCICNhIG4vZp5RCGLNj0ZL/nV/F9wC/JxUSIiTNSpqpI1cRfCDlKooWHLryNj73I0GfeliZFNNAoQHw506bOZD4dIOi6MleqqGOPEopKS+7c8mVTIGEXARtW1UTa40zYri8q/WIV4QkiaMBMCv8giLy3CiTPucmjOlV94KjVMU/ZnEO6BPnMWGJ2MuEzF8i27DvEH3hDdrCiRvCLwyd5xdSoVL1xv41LqhBLS0kUT8pJW3zuSAYw1IGhB201X+qvEtWa+3V19VoF9oHyBh4mwvYtJxaCq1LTVfwrw8xg0pDYP8uIpbHYIClovcZ2OtVVlIZGOKeCRrOKLClbA0cS0ZrEF0S5LO3cTwLyUlHC0GrMsZzwW2JH3mShxTvTrU4ryVaYObW0nqymeCUYZn5mxVCq3Hl2MwEX0cmB6NWAweLzDc9ngiu3w07bO2czgXZjREZrPvbQ+CFmfP6XFiguTCF0qdQJ4g31oGyDWbuK1tl/mpmnnUc02/BfZkpKB7q5FY6Ig0PsvwAyuHuARAo8uBPaNFPJp1rfkmNRZ1gIb2pL0KWG6+QQt0aoZ6/f4DSsUDKlnkTyUtSGqrwg3RJA9dBeOKkikfWtbOB6tOnA4PLnxXyEzw+s4cc3H03jxRsP72TF2qVrSJLSKYpD/Gm3ULdhqWlOO42fMAowh8Dx5w6mlXHBBxtigVfZy0Fu1Y+4lB7OnPpvCGPjX22FJlgb7cIufX2ksNGOwOV+sysI8zgJCNRRrol4vTHNsVnp1B++64Z7MYjVX7mIdffzKY4jdV8RgqJLHavn1d+dKG5NxkzPXOJtrTemZfGbuSWROEjH6MdcF45NgwCY3eakWMazeo0pGJWaBIMixN2J/XzMWhEgopO4+zrp7fDV36lqV2MUySOeRZsXFOHejxTG+OHTTa00RZxsZzvzpVzQqN5hhVeQPUCLwPurJdYnuYs7hr8leQOAVxLglqs/OnbhaCWyMKRDkqPx1baY45ytCdmp8IBCzFrIbbAvRA72xUNwHCKGf4RY9QhsyrFTltyRBVPaVG0LJhVxMbtf25gYgSyooPANcUm4BI5EvdFAJx1i9xnfGzgh/JEx8eZic7Cu9xryUbuL0n95HocJAmRu0+MTUuiFlMxIfnvB1K6I3J6KJIojd+6FMCb5k8QRESCR6TK3PtsuCpBj9oJF8g/rMfKeX8reSZn1aBtI7XHqKGxk2I7lYh5wqa07nIKQkB5FRcNUJ/tQQt+mUZDxW27ELX6Oh3JLZysSMw+Y08mT/1AwF+kqA5aHjpAxUBwQQfcn+WUxu9usNE6HdXjrrrSuIVWS9m0BloIUt/MIOPHiRYNW9wx5A5SJwdLSN0G2r9VD/2a7YguXjtDSCLxiVTzoKodhXir/U868CvCprhYZrFT8po3GeNOOb5psrNpaFeI6uWJzoNn0fren9fD+eZk+HFgZVi5aT6CNy9fYYtDv16vyapSTowmmcn3OjtTeSOe2oHfkfe4TeP1BMNx8263jmCeYLipPm+mGyHHnb3cBHWgDZX3QfMlVoFKUm9p+aDiKoA6YFqmy1+9r7EvZ9QCQ66UIxMYt7e5wL4P8ukmttG90GQFNKNA86OMd4nOrtsl4c+PNCbYRxYf0qyc0ad2wyyReHvwDKOoIRSbwkVTxZrSTZA0wXW2y7ddW3K1Ld2+qBSPtIYHTHM5w==,iv:LIuJpGoxOCBX73ZyjIUl9mYVA0wcRdue8EJyfqQzcK0=,tag:5W2UVbOH3Lma99lVxDdkNw==,type:str]
 kanidm-self-signed-key: ENC[AES256_GCM,data:IIi2LK13Tskk7V6jALsVYOYKgNobhUlmai1z9PwohkUUbXYpmvaB8yu56lssUb/xX9cdFHghDM8YHhS0FOe44ugDexisZRXhyxWIenGRRTJM99/RWEO4Ew04ZFWAMrCUFdDHuSThNhaLyuEm291cp0iA05W9Z/G7i3ymKlqE8Wg6HkcaxkuSek10S74SYAABbfrz/8KfZQdfN1fl8i+0UD8/n42XpT1wU45CldZfDuRjOmsRaDwDDgXageFhsN2oJuZQjA3060sMom+/DUDHPam3eYYKE9ulNcrPhJKFzB0r5RJYnLZEY+wtiYI6YMZs2x5aXAvuh+dmjD8rVWTQb9ZuuJlMvVv0PInORojMs/LyJNsxC/Rv48wY8lCIkalfAVa8TkGiptiX02kNELOsWlBuPzawynzNi6tFRn0gHQl1wSrjOJi9oPRiiV5Ru1ufmDCivHOoJlDoPZ9fqTnMf14tdUPAlSRgAho9d6yke0t0/7y0QIEQClOMaUF+xdJ+pJxXY4puesCPcw9f7R068tFNINNz42xCvSEP2VgSEa2lvFs7Uw0OKf6QZ+cFxuM85CWPE/58kShKLz0GNo1t509+sZC9aazbpsvTMacedo+m+D9aiPiX4dmkT0VK75JXlX5WEUkFL/p8ZVQ/z3m1yvtXv56iPO0mgvGHHAPy2i8khfa1hqwnFO+Z2JiG2Bcydf2I7fW3rBOQZbBINd5YVMm8qN3f7notptLP4GY+vAWm67+FwdF/YFVVseXmqipGvhjx7bw07WasBC6Cscaw3FDRDEx3LYckdfEO928Edq3G2G+Wme5uYwzvHB9fqW3w9UoFS9j5cYumbbFjPCsQUK5PZmKa4hhg4eFnn0jcUTl7/rs213iFsHWxHmzOgVlo2iIkc1eDlKGvdJRY+zqOPnwJiiqxbE3P8kpH5FObmEqY57+eUT/g1bEaqFRYEH6Wq3kONujQrTZipCyor9ai4+bYhGI4SdxEpA6eQfcyFljofNiTbDAfURjvGtLkvY1pUpimyafoYU1EIOuB+aBlIR9XE7baiX7PnidSWqhMqS5ua/eLSYmRgFAxWmpyMNPXbMj/7CL7MSaDZvIvbyXW5nHm+RzjFYU7HzP6nl0WeURUsnvY9maYJOVPsN/1p/vrQ1ezTXFGhPmiHX1K4NunVZ8bGo7bU7OO7T3e+xcrkGjZQIlZA7FpLrYwF3kIwy1WdSOUIKF4EKNvmmJr+yYq2Mkaw6dd4hua+50hGzePGYrnYBJHYTeQhhjXd+uU30bFJ7y+WmABts4oJCEoU8wScgZ3Cds0ZKu5lCgxxBGcz4P3oMagSct400WiMHZ0VQIHb1V4+prjhVJVm5hcxgfVXFEJOA44zkmD/XIsqla2CFEpL9AEoIPyBOZFY+RUnLZ/oPVGJzVfL4XvDdji0Wcvaw7FpKu5KUYs1vxloVDsMpNUJNK4snvB63ppitm7uYF5sVD+1rLAWIs8SdT+zo7bq5mUFUBSS9ZypAKQbdcprqn4myZ62CFHJbgyAxwX0fnPcvn3YBJmCuZBm9+zCNuFr1fYOhcwY+YLiXuel1UeEfmFjTU4EDiELY34EUdhxh/PqTirvBtU7JEdeOZXInHSqILOqzWsfQ4Qp6pTDQum4Qt2aRWWg0ls4b4ublXrTaz0gKoQlfyRNQN1F6d6+dYU6O4If8VRBs5TKnJ2GxJaky2XCJW7AdtnOy3XdDv+avKwFJ1yDp1rwi9iVTUI9djmJohEBCiXDEp3gzHBtNoReZV0Fo435whb4jA3NmoJEvyZpaDSQm+lF46glxDye7dvsp6WsFL9vOLiYcED/RrlRBQpI63eVRBCslNT/4tQVSiYzxnLnDpMyVmXPIBmcV3fe94on1Uvn0J1r5Jvl8GPKuZ5BZ8rqN/psxoKVuBToUTJJZu+78T+sT1cPsn0S3rOCZp+sWn0fZ64NQzaxgH8M6G5epBj8ZDY2SSbLNUa0Gj93lPoYOYWVUIUROcKuhgbWw7JFgWIe6c+jF8yQ/BOJigLr2mLeIterVlXyILZbQEm0AkV+bu9nt0QUDWiRL4h80BVu0jycgTksCyy7zRrz09fzkjrWuFmPZ0rEr3E0dJCV5uZeF7P/GKuvLTdwwn8Imb9r6oNFhCdBvVeGD2V4XzJxzf0kem45aAYwWWSMELPCzHTSvxUMUjo6tzvILeuLYrr8ztE9pim7ZIOA9xKTfQ5LF9XTBpYTfC2+aSmPNnfxnR0gbniLPb/XYur7iGM658WwPkh+1I+VaSyUBWl4HitQGa5q5T/bfSDMe+SxczcsGibIA24iCUwCSVo/jrhcGaGVVVldTFQ+nj5jD1hMVsuzvKe4MyTyHvubjYgjK39qXmLX2NInvgz7FfVLwwPzEh5LDmK3Nl46aHqRISK95BH2PusnP1z0HA+375fVsoIxmbQT7QRbovsmIf2vEU/6EB32DeyLjRIe/2lmTsfBgpm0ju7tRRNMHe61YZBC8Ed6QuTKvHp5bFmXntMQUAoRqyQQe4XFzCHago8guAdV1UkPMcFdZxN8L2D96EXKO3dpF4+6fnCo/c/yQ5+sMhwzzJYE/gV1gOJkyraxJofjUCr6+tzF99HM7x5YFzkJGhtpHtnLGXRwml7wlKH45o0MIXrNmeE6lIX29lw0wMPyq1WYF3tZ63csRzXw8HS6/zukFKM2D6r5sOz1D8zZ3AamEkQm4axsiz45pxgzwxq8uCi4kU14vFr5QOQ0n/DYr5KSUVmsSHokCfyf769NDTRhE6SZDTEjx9mJ0uzB7VAKXI+pKUd9gJhLJcsrjVF+HoDIhoYY8h9Llm+lfhKmiS/eqmo0CbPzwYQM9LljL1V7L7ydel3wxcOrRWISQF5j52KhIT4TiVQKciCH3cvgXJzJGpnjMZzeuhHEvyFhWeLmfqCGqSq74j8alwGrPPy389ofw3lQ7Lkh3F4obz2YYoFfs+6ZhFA1kKNNbf191qskiIJFbYvaKbnASfGa7iw/W0VnC7/unNswozb+q9ur3L47ZeusPUD6ZJfAqxyabmCRpCFkfpuGgxnprzB6wECD5GLp02SnZUqRS++jXoKrMBaLtj2wnyPO8m+V5BZHaqWSUzc7yDN808ttxTCHBITQds62rDqmRhvxceT6NmWrt+ztM369M2k9WNp7BcfcExVdtdfmq0nt9Ykox0IisJKyVn5k7By4WEz3rGdIkFLPTN2SGlSs63olEFd9MYM/JePFIUicnZ7fQAh87ZwYnlzbmD7KwolcM3s+B4y+dYyjpUPAcyF6qcc7Z+6Jh+Kqr6WKl3b6K726xe7XJYpYgw3pwSigzdidknDNNicu0wHRll/BpZJ2VJkes8OBpJIun2Z0WTe6aG8b3tbwMfRG4aleoImJGwWDKZQ6o4aVR0awZifVaJ4/xgX2bjPCPVY5nOEh13aNzUW1itKw20dDIb1I5fSaRP0YLVX5uHpzGFbcLW+nySTibuRph8EeYF0yrVjuoO+KPvr7InAA7zENCmJsDjkjnd9g+WR4wm73oE68/wpBCtlFGXxuhLP5RfdM7zEzK83iQksq4Eaa/xd/lV8qBAG63wolgk3spL9ZSJwe/5lHafM7aKznKuSPU8gz3X8dMeeCKEffXUQCcsBVacNKL4EVPz6KdjZQixUkOG0JDCFcAU3YfquS9SwvfbiO7x6d7rv0kQqMEexx6j+UYV5udTyPkmfz4IEvqsmU2zjIvgUEqeM2t8+I4V7PW676gbbDfQJiRqTrKhiPw7/ZDtPwxOPOKUwT3UMaOZ7i/6gLucdivJMMWAe799tK24ZQQS4ELI1xsKiRRidB7vHOMIkCYj5QdZbLqFSyR3bCLq/EolmMDWnA0yKCsY3UtrCaYVdpaNKDM0bdMhNuXXypy8wJdFr2C4juB1kUYyAA/LTskZYbyQV80b+vq8dKc5W3b5Q13Chm/wGRlisBmi8NhYXtJL8j72L/3K82bbwhHc+VLwmffxYq/zl0XZrMc/ZlLhoKHOGEDMe33SXhRDOUxchDTsblSnbybvW6EGs2IZqp1IYi3YtWkfoo2qHvnVa1OgNlpaAs7vMZ95wmvWJO3SDIJpAkGufDcgi8MPw1AyU2BLFI2PAcY9/x83jPtimVTJ2yTysC3eBZFaYPyaK0xWlAVtk+FR6oN5CvZwu/zKLNd73VOZAL2/4cMZq9PB598MLIrY+Ear2oFoINzLqv0NxUIaX/380P2327ZoUBpb5kSxyI/oAge1PjgnmV+FiInNom49YoehMRDNSCEk9n5gFghcX8VmM6DRemXKIZlj46ZXz9b1os3gc79BiHLY2OyazwP7xQGJO7/kcNJLI/wzPuVHDdqPcI3sk+IU=,iv:p7TGpmls39IYix0rHgeeV+ngkQkXybrUtKQCOF+M8rk=,tag:lNmUlYzd/zxvCfpk50TXTw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
          enc: |
@ -42,8 +40,8 @@ sops:
            ME9BMzQ3TmZmUW5aVG1Oa3hTNzdnd1EKFqMrQnP/5Nw654EJYTLjziDmffrr2Ryj
            5L9weh8fRKopPOPEXwPDULjxCL0G1AipFXwUgk+zJY8dJugDHvsmuA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-16T23:56:59Z"
+    lastmodified: "2025-06-09T01:43:52Z"
-    mac: ENC[AES256_GCM,data:bo8SHGmkNGQqR8nnlIKvAMzd+4vWJ19u9Kga2U1mOEYKMCyZ2nTXju6e327ppmx6KJUnzzieS7F8myE/5jzfd1+LyAN7QlL1xixtyLZH784Eh3c3Rd3sXKO/Tuj00gSsz8PsXzq8VK5RdR6NggxhMM6l3Mji4mTQibEzFQ0XPwo=,iv:6mAVBuMwxkO/ms0O/lpLEAg9lzVtZywMbwhL7diB4Z4=,tag:oGnwY5Ikc8qOrwNyiWqtGg==,type:str]
+    mac: ENC[AES256_GCM,data:pzzSwJ7kxIg4cmnS67DmXz26EKxLKzUtSFJ7vmlAdGphspYrwrRKHeKp/Rrpr15YMLUafXK9QAxeQQEIF6tQPtSLkHgYIb8xIaSRmNOR44OtWoiGBZWgTuFhQ1g2Po2Pn4EKQ2t9obPXxPA9I7EhPhIbqFepM37OQz6TX5SPEoE=,iv:UeX221QNsS6bYsETqRCDgVBNpgSX2RXUv8qWeMKWgYo=,tag:pbOUUcIhvNWv1HM6ti/FUw==,type:str]
    pgp:
        - created_at: "2024-12-29T00:45:42Z"
          enc: |-
@ -77,4 +75,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@ -16,6 +16,7 @@ dnstoken: ENC[AES256_GCM,data:mRVmT1B1xzQWLRjwJUPBoYKSzr4Np3BJiV7psARFKcOZJlBAW3
 dnstokenfull: ENC[AES256_GCM,data:nIFYEO0KMXWBQyLsfM0v7xPSCbmW9Z4qKiGVh38b3mhWklYdMtarqQ==,iv:aQfxbBolEpMkfWHC+5/c5a/xiDhlz8BfJuuKicjVCzo=,tag:LoDgjcR6/VwKVy8DubLdew==,type:str]
 #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment]
 paperless_admin: ENC[AES256_GCM,data:IbZxJzscc2z77RTYTBt5ZdCgtEgTSq5k0A==,iv:lrmP3rOLMuV04H+E0nsKF+KhNKAGHCFyaQnT+gg0wM0=,tag:lNbMYqAdjn0K1AhJKvhB9w==,type:str]
 kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str]
 #ENC[AES256_GCM,data:+dReUV9p,iv:gmVwWra3sP+9I0KVxzTXGzdbZEyRiT7p2BwE34ZDttM=,tag:jse7bGtSva6llqjSOCY/KA==,type:comment]
 mpdpass: ENC[AES256_GCM,data:OXDL8eyfBpX2gXB8aODahA5wNK7laaCQUg==,iv:zSQUtu1j+Z7SnYMA3jNvIFbG9LEbiB7uJ4y9xEmnvJY=,tag:ZKgtccYWT/k4q6Qc2y5WEg==,type:str]
 #ENC[AES256_GCM,data:pn5jSPCWhDl+,iv:f7dyv+83dT3azAuY+/+6i/KzX2a4JIEi+PLeYamORmg=,tag:c5doNQBt6A7fRXl26dWsEg==,type:comment]
@ -33,7 +34,9 @@ vpnloc: ENC[AES256_GCM,data:U8ModKho4vSHnMo9BOE978V6ZlMeQEoLaFW/,iv:Sw06YsWSZ4tG
 #ENC[AES256_GCM,data:yp7ApA4YLSk=,iv:O/SQxKe9EWqExHbeKsTXvbst0pjCxy3yiOjmeCVjmdY=,tag:RMkAOLOLCodnPSDEuImwRw==,type:comment]
 swarseluser: ENC[AES256_GCM,data:XvmOHYFNhb/bAYAZ/kmUWbbmRy/WrxSYri/Y5k+SH4N7ZIjuZDHOkWk93ERFuTb77HvhbPX/NRQraUoJoFsxGGg5co/gJnyfRg==,iv:J50PeDcC4PM3+yQ/YQNb8TW4kubwi2kjjSFU0RVFM30=,tag:ydLYkz1YKyguGZZZD/JcLA==,type:str]
 nextcloudadminpass: ENC[AES256_GCM,data:ZOCsu4/ijfheBfY9ZR5DBXSB,iv:bNlTLKQblnt2eYJqVgXwCaGAyAw2yhlb9Whsz0LBhm4=,tag:VQAWP/b8IghzXDFLJxXZ4Q==,type:str]
 #ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment]
 grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/Las9eucBeYnpwG5DM9gJg8bfU=,tag:/LZqwuPWQyjSZURnsqq3hA==,type:str]
 kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str]
 prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str]
 #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment]
 fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str]
@ -41,6 +44,13 @@ fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+N
 resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str]
 resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str]
 resticsecretaccesskey: ENC[AES256_GCM,data:j57l4p5viLZ2yL/KDrQpq1Dov69kpCRgzS4uEHgh4A==,iv:CYTxd4Vy1V+aW6EdaEOIma5vyDRL/VR6MlHqmAM1JQI=,tag:zLl0UZ50uN8YIrL+nOfurg==,type:str]
 #ENC[AES256_GCM,data:rdFEksmLPA==,iv:JKhyW30sCngf1/wFv8HLPesiz61QjAGhcBuoIw3CUDk=,tag:MaMJ8V5uqV1uFokLzmTJ7g==,type:comment]
 kanidm-admin-pw: ENC[AES256_GCM,data:cpSl4syzCcl8wohuNpZhwKZvY4x/YuSZUA==,iv:HmhoNL5IKMh4FMe69AcnviybQRXdZRwaNiZ10vRUbwA=,tag:VUgttt/1pcQtcCqR9Vea1A==,type:str]
 kanidm-idm-admin-pw: ENC[AES256_GCM,data:nfDLBctWIBUn1iyidczfn37ncINlfXjf4g==,iv:0nVO9bTOZ/PEe9rFUhXZ74AbStsAoDDhRWsM4cPvB+s=,tag:hM4+x7TpLctDpdotVhx7RQ==,type:str]
 kanidm-immich: ENC[AES256_GCM,data:is5Zx9FE9Qb/cajv6ZQU6B/0iKUgbBCp/g==,iv:vBU6wcrsO862oKgxdGfpOZXC/GJDhY9Rki2nLIy4IoM=,tag:6jNRNdQr/czoSihSQ+cHQg==,type:str]
 kanidm-paperless: ENC[AES256_GCM,data:bJJC20q8aJVzmIMXAHWvOoH652lSCFXDNg==,iv:0ctoPwxzMD1cSpZ7DyjOv9qP+cYt0MJsk2cfuzft3n8=,tag:KX1MtgOvcMxt1QHhAcXWcg==,type:str]
 kanidm-forgejo: ENC[AES256_GCM,data:zw0LcfNJw4q28l1E9q58D9bTKtl/CjGA3w==,iv:fYRGasFiM7PXeP5sWW6whj10CUKIqCfhIYQCNZjxQGo=,tag:sxQJa+ItPA+L3keWZ34SJA==,type:str]
 kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3JWzHsmsef+VlFGciZmyforxJCdvzHijvGFvFwpk=,tag:K+6baLIKy0L37KrJEQUgPg==,type:str]
 sops:
    age:
        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
@ -52,8 +62,8 @@ sops:
            MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
            qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-24T16:09:43Z"
+    lastmodified: "2025-06-09T02:48:48Z"
-    mac: ENC[AES256_GCM,data:K6x8RdvbXEQMBMnhXL1vnD9urEGgsm+bg5WVIBExvML0ptkIX88AIXF9GPaOFdPJ7idKRrXe1euajGyDJZTZeM95auvEuw8Dyb3xC/2l21X9pAOlWQwhWNlilUu/G/JO56lXTxeIGS7qA1oUYRYGRyZYICbYssymcH/urcKGPZE=,iv:4QCTjTb1vs/7xWyvGC1eARMqaFAgkzKBsnxQIWv06gk=,tag:by8DbsqBHYbe3Xe+EbDIRA==,type:str]
+    mac: ENC[AES256_GCM,data:hHoWSuoIweKC/l/27aTOtn6A3qvlsFpHjoCnx2QtQrSUKvaHCeGnnv9U71hK56GW2OyL9fEfjfTNn7fZR5jQnjlZrwQAtFiXDaUMKT90QtHsZj87RBYmGKLdSpOSGrnimywGivAbJp2yWLQ8WnwnD0LwkYpylSUFOgiGD5W62cA=,iv:QYqCcbfL4x310InrMtTY8gdUpgqxcB85nbBKHLFltLA=,tag:fIV7PAY7hJCTEkEWcoq15g==,type:str]
    pgp:
        - created_at: "2024-12-17T16:24:32Z"
          enc: |-